IT350M4_Task 1_Katie Monroe

docx

School

Purdue Global University *

*We aren’t endorsed by this school

Course

350

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

6

Uploaded by AmbassadorFrog3399

Report
1 Common Security Expressions Katie Monroe Purdue Global IT350M4 Task 1 Dr. Michael Jones December 2, 2023
2 The Bike Stores database houses critical financial data. It is important to create a secure environment for your SQL Server. Authentication and Authorization of users against data, the service account, security layers, and encryption can be considered security features (MeeraDi et al., 2023). Most security issues arise from the Design and Development phase (MeeraDi et al., 2023). SQL Server supports two authentication modes; Windows authentication mod and mixed mode with SQL Server and Windows authentication mode (MeeraDi et al., 2023). You can implement a required SQL Server login to the Bike Stores database that requires a strong and complex password that cannot easily be guessed and is not used for any other accounts or purposes (MeeraDi et al., 2023). Assign all users to use multi-factor authentication wherever it is possible (Singh, 2022). Grant only required permissions and restrict unwanted higher privileges (Singh, 2022). Do not allow anyone to use generic accounts like sa in SQL Server (Singh, 2022). They should be removed or disabled (Singh, 2022). Authorization is a process to grant access to objects (Singh, 2022). You can restrict or authorize someone to access the database object (Singh, 2022). Microsoft SQL Server’s Role-Based Access Control allows the assignment of specific roles to users, controlling their level of privilege (Singh, 2022). Microsoft SQL Server is a user-mode application (MeeraDi et al., 2023). The service account is fully a Windows user account and provides security privileges for SQL Server service to access Windows platform resources such as the file system, network, and registry (MeeraDi et al., 2023). The most important point is that the SQL Server Service Account should not be shared with other SQL Server instances, and it is preferred to be on a domain controller (MeeraDi et al., 2023).
3 Microsoft SQL Server can be prioritized into several layers of security (MeeraDi et al., 2023). Physical security ensures that the server’s physical location is safe and is restricted from unauthorized access (Singh, 2022). Transparent Data Encryption will encrypt data at rest, safeguarding it from unauthorized access in case of physical theft or unauthored access to database files (Singh, 2022). Network security is where you can ensure that all communications ae safe and secure (Singh, 2022). Operating system security involves security at the platform level and prevents any unauthorized access to the database system (Singh, 2022). Database security secures the database and its objects at various levels by adopting adequate access control measures inside the database (Singh, 2022). Windows Data Protection API is an encryption capability on Windows platform to encrypt and decrypt data (Singh, 2022). The encryption algorithm is different depending on the version, logins, server roles, and credentials (Singh, 2022). At the database level, the security objects are users, certificates, functions, schemes, and encryption keys (Singh, 2022). Always Encrypted feature encrypts sensitive data, ensure that only client applications with access to the encryption keys can view the decrypted information (Singh, 2022). It is helpful to know what are some common threats that risk SQL Server. The three most common threats are SQL injection, authentication, and passwords (MeeraDi et al., 2023). SQL injection is a type of attack where malicious code is written into SQL statement instead of valid entries (MeeraDi et al., 2023). The attack has potential to corrupt or destroy data (MeeraDi et al., 2023). A way to prevent SQL injection attacks is to use stored procedures and parameterized commands (MeeraDi et al., 2023). Use Windows authentication whenever possible to avoid a connection string injection (MeeraDi et al., 2023). These occur when the connection string does not check for valid keyword
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 pairs (MeeraDi et al., 2023). Use the SQLConnectionStringBuilder to create and validate connection strings at run time if you must use SQL Server logins (MeeraDi et al., 2023). Passwords are the first line of defense, and many attackers are successful just by being able to obtain or guess the password of a privileged user (MeeraDi et al., 2023). You can avoid this by using complex strong passwords (MeeraDi et al., 2023). Create and enforce password usage policies for mix-mode authentication (MeeraDi et al., 2023). In terms of regulatory requirements, you should limit access to the database (IBM, 2023). The more limited the permissions and privileges are, the better (IBM, 2023). Controlling user access will help keep attacks away from the information. Only certain users and procedures are authorized to query sensitive information (IBM, 2023). In addition to limiting user access, a good practice is to disable all services and procedures that are not in use (IBM, 2023). Lastly, the database should be on a server that does not have direct access to the internet to prevent the information from being exposed (IBM, 2023). Before you can implement protection tools and techniques, you first need to analyze and identify what information you consider to be sensitive and critical data that needs to be protected (IBM, 2023). It is important to understand the logic of the database so that you can easily determine where and how the sensitive data needs to be stored (IBM, 2023). Not all data needs to be protected. While you identify what data should be secured, you should also keep inventory of the company’s databases (IBM, 2023). The best way to prevent loss of information or data is to keep a record of all the instances and databases (IBM, 2023). This is especially useful when backing up the information to prevent critical data from being left out of the scheme (IBM, 2023). General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals (Frankenfield, 2020).
5 Compliance with the GDPR is vital when handling personal data of customers, ensuring data protection, and obtaining explicit consent for data processing (Frankenfield, 2020). Payment Card Industry Data Security Standard (PCI DSS) ensures that personal payment data remains private and requires merchants and service providers that store, process, or transmit customer payment card data to adopt security controls and processes to ensure data integrity (SimplePractice, 2023). Since the database contains sensitive payment card information, adherence to the PCI DSS standards is essential to protect cardholder data and maintain secure payment processing (SimplePractice, 2023). Lastly, data privacy is different for each state and country. Some states in the United States have passed their own data privacy laws (Murray, 2023). Complying with relevant data protection laws specific to the region of operation is necessary to ensure the privacy and security of customer information (Murray, 2023). You can confidently protect the sensitive financial and customer information in the Bike Stores database by implanting Microsoft SQL Server’s robust security features and adhering to applicable regulatory requirements.
6 References MeeraDi, dplessMSFT, rwestMSFT, rothja, & PRMERGER18. (2023, April). SQL Server Security Best Practices - SQL Server . SQL Server | Microsoft Learn. https://learn.microsoft.com/en-us/sql/relational-databases/security/sql-server-security-best- practices?view=sql-server-ver16 Singh, M. (2022a, March 3). Understanding security testing for SQL Server Environments . SQL Shack - articles about database auditing, server performance, data recovery, and more. https://www.sqlshack.com/understanding-security-testing-for-sql-server-environments/ IBM. (2023b). Database security: An essential guide . https://www.ibm.com/topics/database- security Frankenfield, J. (2020, November). General Data Protection Regulation (GDPR) definition and meaning . Investopedia. https://www.investopedia.com/terms/g/general-data-protection- regulation-gdpr.asp SimplePractice. (2023). Simplepractice receives Payment Card Industry (PCI) data security standard certification as A level 1 service provider . https://www.simplepractice.com/press/simplepractice-receives-payment-card-industry-pci- data-security-standard-certification-as-a-level-1-service-provider/? utm_source=google&utm_medium=cpc&network=x&utm_campaign=PMAX_Intake&utm _term=&device=c&matchtype=&gad_source=1&gclid=Cj0KCQiAyKurBhD5ARIsALam XaEmrKzDrATzWAYxOPp- Oa4d1_hZ5yXHGLVaUYLUehn9p01_Oi00MA4aAgb7EALw_wcB Murray, C. (2023, September 12). U.S. Data Privacy Protection Laws: A Comprehensive Guide . Forbes. https://www.forbes.com/sites/conormurray/2023/04/21/us-data-privacy-protection- laws-a-comprehensive-guide/?sh=6fb199d35f92
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

IRIS Assessment Questions.dotx
Assignment 3.pdf
Baker_lab2.docx
Baker Nicholas Assignment 4 Part 3 Spring 2022.docx
BUS 446 week 1 dicussion 1.docx
BUS 446 week 1 discussion 2.docx
info 336 week 1 discussion 2.docx
8.4.5 Practice Questions.pdf
8.6.11 Practice Questions.pdf
8.8.9 Practice Questions.pdf
project management milestone 3.pdf
Screenshot 2023-12-03 at 9.00.40 AM.png